Account Duplication (Local User Mapping)

I've encountered an account duplication. A directory is pointed as account collector. In the account tab an account appears twice. As you can see below the first one is the right one with all mappings done and the second one is the duplicated one which has no application role and says it's local user mapping. What should I do to prevent that kind of duplication. Any help would be appreciated.

I noticed that on Account Collector, you have specify to collect Accounts information

but at the same time, your Entitlement collector also collect Accounts information. By right you do not need to collect Accounts under "Entitlement Collector". U just need to collect the Group information. When the Group Collector ask about how to resolve Group->"uniqueMember" then use your Account Collector->Account-Custom field.

Secondly, regarding the "Local User Mapping" object. This account object is not created by "Collection".

It is create during Access Request. When a user request new account via form and application uses account template, then system will pre-create an account in IMG during access request. If the request is still not complete yet, this object will remain in the system. U can cancel the request and system will remove this "pre-create" account.

If a user(aka Identity) has an associated account( from collection), then during the request process IG&L should not create a local account. Is this correct?

@Emre

1. As William said, local accounts gets created when request process starts. Try picking a user who has no account, go through the request process but then at the last step, cancel the request. Go to the user and see the accounts, you will find a local account.

2. If the request is submitted, then its the account template which is not converting the local account to AFX create account capability. In our case, we had to re-create the template.

3. We do have some applications where we are not sure what the issue is and the local accounts do get created at random times. We are not able to simulate it correctly to reach out to RSA support.

Secondly, regarding the "Local User Mapping" object. This account object is not created by "Collection".

It is create during Access Request. When a user request new account via form and application uses account template, then system will pre-create an account in IMG during access request. If the request is still not complete yet, this object will remain in the system. U can cancel the request and system will remove this "pre-create" account. "

Two scenarios where 'Local Account' will not get deleted

1. As an admin you are not able to cancel the request because it goes to a cancellable state and gets stuck there.

2. If the user initiates a request via the form and goes all the way to the last screen and cancels. The local-account gets created but there is no request attached.

In this second case, we have to hunt the account and get it removed from the user.

what can we do if the request has been completed and the local account mapping is still showing. I have 4 local mapping accounts that didn't match the collection so now those users are duplicated, and the requests have been completed already by accident instead of being cancelled.

that said, how to di get rid of the local account mappings which i don't need anymore?

During Fulfillment phase, IMG will create an local account first and send command "Create Account" to target applicationfor provisioning.

If the "Create Account" success on target application. Then on the next Account Collection,this local account will "become" a "collected Account". Meaning this local account will be removed and actual account in target application will be collected.

If the "Create Account" failed on target application. Then on the next account collection.this local account still remain there until you have the actual account created in target application & collected from IMG.

Note: Local account in IMG does not represent "actual or collected" account in target application.

There is option to remove this "Local account", goto System->Account Data Collectionthe specify with 180(or lesser) days to purge unnecessary local account mappings.